Skip to content

Cherry-pick #24488 to 7.12: [Filebeat] Add Dashboards to Threat Intel Module#24578

Merged
marc-gr merged 1 commit intoelastic:7.12from
marc-gr:backport_24488_7.12
Mar 17, 2021
Merged

Cherry-pick #24488 to 7.12: [Filebeat] Add Dashboards to Threat Intel Module#24578
marc-gr merged 1 commit intoelastic:7.12from
marc-gr:backport_24488_7.12

Conversation

@marc-gr
Copy link
Copy Markdown
Contributor

@marc-gr marc-gr commented Mar 17, 2021
edited by zube Bot
Loading

Cherry-pick of PR #24488 to 7.12 branch. Original message:

What does this PR do?

This PR adds a saved search, visualizations, and dashboards for the Threat Intel Filebeat Module.

Why is it important?

The overview dashboard provides valuable information on the health of the module, what type of data is being ingested, how much, and allows you to analyze module metrics.

The additional five dashboards provide a view into the different feeds and allow an analyst to hunt and find connections and associations that may not have previously been exposed.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • Validated that ./filebeat setup imports the saved search, visualization, and dashboard
  • Validated that data provided by the Threat Intel Filebeat module populates the dashboards

How to test this PR locally

This can be tested by:

cd beats/x-pack/filebeat
mage update && mage build
./filebeat modules enable threatintel
# if using Elastic Cloud, update filebeat.yml to cloud.id and cloud.auth
./filebeat setup -E setup.dashboards.directory=./build/kibana
./filebeat

Go to KIbana -> dashboards -> apply the threat intel tag

Related issues

Resolves #24487

Use cases

Threat hunting, security operations, and intelligence analysis.

Screenshots

Threat Intel Overview
filebeat-threatintel-overview

Threat Intel Abuse Malware
filebeat-threatintel-abuse-malware

Threat Intel Abuse URL
filebeat-threatintel-abuse-url

Threat Intel AlienVault OTX
filebeat-threatintel-alienvault-otx

Threat Intel Anomali Limo
filebeat-threatintel-anomali-limo

Threat Intel MISP
filebeat-threatintel-misp

Logs

@peasead @marc-gr
[Filebeat] Add Dashboards to Threat Intel Module (elastic#24488)
01dfff0 
* added dashboards & docs

* ran mage fmt update

(cherry picked from commit 141273b)
@botelastic botelastic Bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Mar 17, 2021
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Mar 17, 2021

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic
Copy link
Copy Markdown

botelastic Bot commented Mar 17, 2021

This pull request doesn't have a Team:<team> label.

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Mar 17, 2021

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #24578 opened

  • Start Time: 2021-03-17T08:59:57.114+0000

  • Duration: 47 min 33 sec

  • Commit: 01dfff0

Test stats 🧪

Test Results
Failed 0
Passed 13023
Skipped 2229
Total 15252

Trends 🧪

Image of Build Times

Image of Tests

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 13023
Skipped 2229
Total 15252

P1llus
P1llus approved these changes Mar 17, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@P1llus P1llus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@marc-gr marc-gr merged commit 187937c into elastic:7.12 Mar 17, 2021
@marc-gr marc-gr deleted the backport_24488_7.12 branch March 17, 2021 10:04
@zube zube Bot removed the [zube]: Done label Jun 15, 2021
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
@marc-gr @peasead
[Filebeat] Add Dashboards to Threat Intel Module (elastic#24488) (ela…
b6966b4 
…stic#24578)

* added dashboards & docs

* ran mage fmt update

(cherry picked from commit 1e65129)

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@P1llus P1llus P1llus approved these changes

Assignees

No one assigned

Labels

backport

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@marc-gr @elasticmachine @P1llus @peasead